| Author |
Message
|
| jacquesvdm |
 Posted: Wed Jan 18, 2012 2:25 am Post subject: SSL queue manager to queue manager |
 |
|
Apprentice
Joined: 18 Jan 2012
Posts: 29
|
The SSL connection was closed by the remote end of the channel during the SSL handshake.
I have two queue managers using sender receiver channels pairs configured to use SSL. The channels both start successfully and runs for a while. After a few days i noticed that both channels are in retrying state. the error log have this error "The SSL connection was closed by the remote end of the channel during the SSL handshake"
on the other server I have this error
Bad SSL certificate for channel '????'.
A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons: &B (a) it was formatted incorrectly and could not be validated &B (b) it was formatted correctly but failed validation against the Certification Authority (CA) root and other certificates held on the local system &B (c) it was found in a Certification Revocation List (CRL) on an LDAP server &B (d) a CRL was specified but the CRL could not be found on the LDAP server &B (e) an OCSP responder has indicated that it is revoked &P The channel is '????'; in some cases its name cannot be determined and so is shown as '????'. The remote host is 'agent4 (ip address removed)'. The channel did not start.
"
It seems like the Keystore on both ends are no longer valid. after recreating the keystores, regenerate certificates and again exchanging the newly generated keys the channels start again and the cycle starts again.
Anyone else have simular experience.
Thanks |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Jan 18, 2012 3:54 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You could disable OCSP with this in the qm.ini files.
| Quote: |
SSL:
OCSPCheckExtensions=No ; Do not try to contact OCSP server
OCSPAuthentication=WARN |
IBM have turned it on by default in WMQ v7 and it can cause issues. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 18, 2012 4:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
You could disable OCSP with this in the qm.ini files.
| Quote: |
SSL:
OCSPCheckExtensions=No ; Do not try to contact OCSP server
OCSPAuthentication=WARN |
IBM have turned it on by default in WMQ v7 and it can cause issues. |
By default the channel would not work at all from its initial start, not work for a while then fail.
jacquesvdm, even if you are not using CRLs, or populating the SSLCRNL attribute of the queue manager, certificate revocation checking is not invoked unless one of the SSL certificates used contains an AuthorityInfoAccess or CrlDistributionPoint X.509 certificate extension.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jacquesvdm |
| Posted: Wed Jan 18, 2012 4:18 am Post subject: SSL entries on Windows |
|
|
Apprentice
Joined: 18 Jan 2012
Posts: 29
|
Hi
I am working on windows XP and Windows Server 2008 R2. Can I assume that I have to create the SSL stanza SSL using REGEDIT and then insert the three settings as indicated in your email. I do not see SSL settings on my queue manager currently. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 18, 2012 4:56 am Post subject: Re: SSL entries on Windows |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jacquesvdm wrote: |
Hi
I am working on windows XP and Windows Server 2008 R2. Can I assume that I have to create the SSL stanza SSL using REGEDIT and then insert the three settings as indicated in your email. I do not see SSL settings on my queue manager currently. |
If you're using V7.0.1.7 (the version I'm using) the settings are in the SSL tab of the queue manager view in MQExplorer. Alternatively, use the following command lines:
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPAuthentication=Optional
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPCheckExtensions=NO
'Optional' above can be changed to 'Warn' if you prefer, however that will cause a lot of logging of warnings in the queue manager error logs.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| jacquesvdm |
| Posted: Wed Jan 18, 2012 5:06 am Post subject: Additional SSL configs |
|
|
Apprentice
Joined: 18 Jan 2012
Posts: 29
|
Hi
Thanks for this, I am using MQ 7.0.1.7 and saw the settings. I will change them and keep you posted.
regards |
|
| Back to top |
|
|
| jacquesvdm |
| Posted: Wed Jan 18, 2012 11:31 pm Post subject: SSL issue |
|
|
Apprentice
Joined: 18 Jan 2012
Posts: 29
|
just an update, so far so good.
I will now only write an update if it fails again.
Regards
Jacques |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 19, 2012 12:38 am Post subject: Re: SSL entries on Windows |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| exerk wrote: |
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPAuthentication=Optional
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPCheckExtensions=NO
'Optional' above can be changed to 'Warn' if you prefer, however that will cause a lot of logging of warnings in the queue manager error logs. |
No it won't unless OCSPCheckExtensions=YES is also set. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 19, 2012 1:08 am Post subject: Re: SSL entries on Windows |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| exerk wrote: |
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPAuthentication=Optional
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPCheckExtensions=NO
'Optional' above can be changed to 'Warn' if you prefer, however that will cause a lot of logging of warnings in the queue manager error logs. |
No it won't unless OCSPCheckExtensions=YES is also set. |
Again, another school day - thank you!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
